RBI proposes AI guardrails for banks and NBFCs: what compliance officers need to know

This article is for informational purposes only and does not constitute financial, tax, or legal advice. Consult a qualified professional for guidance specific to your situation.

Editorial note: Reviewed for accuracy by the Startup Finance Guide editorial team. Our editors cross-reference all claims against platform documentation, regulatory publications, and vendor disclosures. Last reviewed: 2026-06-27.

The Reserve Bank of India (RBI) released draft "Guidance on Regulatory Principles for Model Risk Management, 2026" in June 2026, proposing that every bank, non-banking financial company (NBFC), payment bank, cooperative bank, and credit information company operating in India must be able to instantly override, suspend, or shut down any AI model it deploys, including through a formal "kill switch" arrangement. The comment window closes July 24, 2026.

The proposal covers commercial banks, small finance banks, payment banks, cooperative banks, NBFCs, asset reconstruction companies, and credit information companies. It arrives as Indian financial institutions have sharply increased their use of AI in credit underwriting, collections, fraud detection, and customer support. The RBI's concern is straightforward: a chatbot dispensing incorrect financial advice at scale, or an underwriting model that inadvertently discriminates against a class of borrowers, can generate systemic consumer harm before any human reviewer notices. The draft treats AI governance as an enterprise risk discipline, not a technology project.

What changed

The draft framework is notable for how broadly it defines "model." As Shashank Karincheti, co-founder of Redacto, told Inc42: "The draft defines a 'model' so broadly that a spreadsheet pricing calculator counts if it drives decisions. This isn't a GenAI rule; it pulls in every legacy scorecard and rule engine, and most institutions don't have a complete model inventory today. That inventory is the real day one work."

That scope matters. The framework is not limited to large language models or generative AI products. A decades-old rule-based loan-pricing calculator, a third-party fraud-scoring engine, or a credit bureau model all fall within the proposed perimeter if they drive regulated decisions.

The specific requirements in the draft include:

• A complete, formally documented inventory of every model deployed across the organisation. No model may be used unless it appears in that inventory.
• Explainability thresholds, so that model outputs can be interpreted and challenged.
• Safeguards against AI hallucinations and adversarial attacks, with stress testing under abnormal scenarios.
• Continuous monitoring for bias and discriminatory outcomes throughout the model lifecycle.
• Independent validation of all models, including those procured from third-party vendors.
• Human-in-command arrangements and periodic human review of model-driven decisions to catch anomalies.
• Kill switch mechanisms that allow immediate deactivation when a model behaves unexpectedly or generates harmful outputs.
• Disclosure to customers that they are interacting with an AI system, plus an option to switch to a human agent on request.
• Board-level accountability for AI-driven decisions.

Sajeev Viswanathan, CEO of New Street Technologies (a blockchain-based loan lifecycle management company), described the approach to Inc42 as a "tiered risk framework that differentiates between low- and high-risk use cases," combined with board accountability and human oversight. The RBI has not imposed blanket restrictions on AI deployment, which the industry has broadly welcomed, though the compliance burden for legacy model inventories is significant.

This direction is consistent with how other major regulators are moving. The European Union's AI Act, which entered phased application in 2024, similarly classifies credit scoring and debt collection AI as high-risk systems subject to mandatory human oversight and documentation requirements. In the United States, the Consumer Financial Protection Bureau (CFPB) has issued guidance warning that automated decision systems in credit and collections must still comply with the Equal Credit Opportunity Act and the Fair Debt Collection Practices Act, though the CFPB has not yet published a standalone AI governance framework equivalent to the RBI's draft.

What this means for compliance officers

If your organisation deploys any AI-assisted collections, credit decisioning, or customer-facing voice or chat system in India, the RBI draft has direct operational implications, even though it is not yet final.

The first task is the model inventory. Most institutions, per industry feedback cited in the Inc42 report, do not have a complete list of every model driving decisions today. That inventory must cover internally built tools and third-party systems alike. Vendors of AI collections platforms, whether Indian-market players or international ones such as Floatbot, Vodex, or Retell AI, will need to provide documentation sufficient for their bank and NBFC clients to satisfy independent validation requirements. Compliance officers should begin requesting model cards, validation reports, and audit logs from any AI vendor now, before the framework is finalised.

The kill switch requirement is not purely technical. It requires a governance process: who has authority to trigger deactivation, under what conditions, and what the fallback workflow is when an AI system goes offline mid-collection cycle. For voice AI deployed in collections, that means a documented human escalation path must exist and be tested.

The explainability requirement will affect how AI-generated collection decisions are documented. If a voice AI system recommends a repayment schedule or flags an account for escalation, the model's reasoning must be interpretable by a human reviewer. Black-box models that cannot produce that explanation will not meet the standard as proposed.

Customer disclosure is a separate operational item. Any customer-facing AI system, including chatbots and voice agents used in collections, must identify itself as AI and offer a human transfer option. This is already a norm in some markets but is not uniformly implemented across Indian fintech deployments.

For cross-border startups with Indian lending or collections operations, the framework adds a compliance layer that sits alongside Foreign Exchange Management Act (FEMA) obligations and existing RBI directions on digital lending. The board-level accountability requirement means that AI governance cannot remain solely within the technology or operations function.

Limitations and open questions

The draft is open for comment until July 24, 2026, and the final guidelines may differ materially from the current text. The RBI has indicated that additional AI-specific requirements could follow in future circulars, so the July 24 version is unlikely to be the last word.

Several practical questions remain unanswered. The draft does not specify the format or minimum content of a compliant model inventory, which leaves institutions to interpret what documentation standard will satisfy an examiner. The independent validation requirement for third-party models is clear in principle but the draft does not define who qualifies as an independent validator or what a validation report must contain.

The tiered risk framework referenced by industry executives has not been published in detail. The RBI has signalled that low-risk and high-risk AI use cases will face different requirements, but the criteria for that classification are not yet specified.

Finally, the draft does not address cross-border data flows explicitly. For NBFCs and fintechs that process Indian customer data on cloud infrastructure outside India, the interaction between the model governance requirements and existing RBI data localisation directions is not resolved in this document.

Compliance officers should submit comments by July 24 if their organisation has specific concerns about scope, validation standards, or the treatment of legacy systems, and should begin internal model inventory work regardless of the final rule text.

This article is for informational purposes only and does not constitute financial, tax, or legal advice. Consult a qualified professional for guidance specific to your situation.